The phishing phenomenon is at epidemic levels, particularly among financial institutions. I like to think that I am acutely aware of dangers such as these (after all, I authored two e-learning courses on security and privacy), but even so I get agitated when I see an e-mail from my bank.
I get half a dozen such e-mails a day urging me to click a link and update my account details. The problem is that though I know they are scam e-mails, but I have to open them just in case they are not. One look at the e-mail's source code tells me immediately I am dealing with yet another attempt to rip me off, so I naturally do not click the link provided. But by then it is too late: the scammer's server has registered that my e-mail client has requested the image for the html e-mail, and my address is confirmed as a "hot" target for future projects related to that particular bank.
According to this CNET article 7 out of 10 people who go online have received phishing e-mails, and 15 percent of those have successfully been duped into providing personal information.
That is a lot of people in anyone's customer base. The absolute cost of reparations to victimized customers is one thing. The impact on a brand that is repeatedly abused by phishers is another. Credibility is eroded, and consumer confidence in dealing with the company behind the brand dissipates. Technology may help sometime down the line. In the meantime, the best a company can do is to educate its customers.
Who is best placed to provide that education? Marketing, Training, IT, Customer Relations? Surely this is one issue to which all parties should commit their best minds. Marketing people are good at building awareness and stimulating customers to act, but they are not the best at providing a learning experience. Trainers can provide a great learning experience, but need to work with the subject matter expertise of IT people. And customer relations people can do a reasonable job of reactively hand-holding nervous customers, but need marketing to handle the pro-active side of the process.
I have talked with customer relations people at my bank. I have talked with people in the fraud department. I have received mailings from (I assume) the marketing or legal people, on the subject of phishing. None of them do anywhere near a decent job of informing me of what it is I have to look out for, what consequences I have to fear, or what course of action is open to me if I do fall victim.
Get the trainers involved. Educating your customers is something that trainers are doing more and more of in other areas. Shouldn't they get posted to the front lines on this one?